CVE-2021-43650
📋 TL;DR
CVE-2021-43650 is a SQL injection vulnerability in WebRun 3.6.0.42 that allows attackers to manipulate database queries via the P_0 parameter during login. This can lead to authentication bypass, data theft, or complete system compromise. Organizations using WebRun 3.6.0.42 are affected.
💻 Affected Systems
- WebRun
📦 What is this software?
Webrun by Softwell
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data exfiltration, privilege escalation to administrator, and potential remote code execution on the underlying server.
Likely Case
Authentication bypass allowing unauthorized access to the WebRun application, followed by data extraction and potential lateral movement within the network.
If Mitigated
Limited impact with proper input validation and parameterized queries preventing successful exploitation.
🎯 Exploit Status
Exploit code is publicly available on Exploit-DB (ID: 50542). The vulnerability requires no authentication and has simple exploitation steps.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.6.0.43 or later
Vendor Advisory: https://www.webrun.com/security-advisory
Restart Required: Yes
Instructions:
1. Download WebRun version 3.6.0.43 or later from the official vendor website. 2. Backup current configuration and data. 3. Stop the WebRun service. 4. Install the updated version. 5. Restart the WebRun service. 6. Verify the installation is successful.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize the P_0 parameter before processing.
# Example for Apache mod_security
SecRule ARGS:P_0 "@rx [^a-zA-Z0-9@._-]" "id:1001,phase:2,deny,status:403,msg:'SQL Injection attempt detected'"
Web Application Firewall
allDeploy a WAF with SQL injection protection rules to block malicious requests.
# Example ModSecurity rule
SecRule ARGS "@detectSQLi" "id:1002,phase:2,deny,status:403,msg:'SQL Injection detected'"
🧯 If You Can't Patch
- Implement network segmentation to isolate the WebRun server from critical systems
- Enable detailed logging and monitoring for SQL injection attempts on the P_0 parameter
🔍 How to Verify
Check if Vulnerable:
Test the login page with SQL injection payloads in the P_0 parameter (e.g., ' OR '1'='1). If login succeeds with invalid credentials, the system is vulnerable.Check Version:
Check the WebRun administration interface or configuration files for version information. On Windows: check installed programs list. On Linux: check package manager or application directory.Verify Fix Applied:
Attempt the same SQL injection test after patching. The login should fail with invalid credentials and no database errors should be visible.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL syntax in login requests
- Multiple failed login attempts with SQL keywords in username field
- Database error messages in application logs
Network Indicators:
- HTTP POST requests to login endpoint containing SQL keywords in parameters
- Unusual traffic patterns to database ports from web server
SIEM Query:
source="webrun.logs" AND ("P_0" AND ("OR" OR "UNION" OR "SELECT" OR "--"))